Messages

361

German - Deutsch / Re: Best Practice, letzte Regel "allow all"

« on: November 04, 2021, 10:15:27 am »

Nicht nur Source = LAN sondern auch Destination = Internet, bzw !LAN, oder sowas.

362

21.7 Legacy Series / Re: HA configuration and service awareness

« on: November 04, 2021, 10:14:27 am »

I see your point, it's about site2site tunnels, I was only thinking about passive endpoints.

363

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 03, 2021, 11:03:28 pm »

As I run it now, I have internal ULA addresses and NAT on WAN. The internal side is done with CARP fe80::1 and this is advertised via RA (there is a PR in github that allows to select the RA SRC address).
I have one external service with dyndns, but that's not redundant.

There is a heap of RFCs I read that basically mean that in the end it's not possible because the end devices do not cleanly implement said RFCs (source and nexthop selection). They don't even respect the RA priorities.

So that's not perfect. Maybe best to stick to IPv4 or use something like cloudflare for internal services.

364

21.7 Legacy Series / Re: HA configuration and service awareness

« on: November 03, 2021, 10:57:21 pm »

Why must wireguard be disabled on the backup node?

365

21.7 Legacy Series / Re: HA configuration and service awareness

« on: November 03, 2021, 12:06:51 pm »

For DHCP the builtin cluster functionality is used.

366

German - Deutsch / Re: DUAL WAN (VDSL) richtig nutzen

« on: October 30, 2021, 04:54:33 pm »

Du kannst in Firewallregeln die Gateway setzen.

367

German - Deutsch / Re: Sensei stürzt ab (Swap)

« on: October 30, 2021, 04:50:27 pm »

Interessant, auf meiner APU mit 16GB Datenträger läuft Sensei überhaupt nicht, das mag an dem Swap liegen.

368

General Discussion / Re: Is it possible to advertise ULA prefix only to IPv6 client?

« on: October 28, 2021, 04:51:56 pm »

Yes, you can do local ULA only + NAT or NPTv6 (just like IPv4).

369

Development and Code Review / I like opnsense :)

« on: October 23, 2021, 04:19:58 pm »

I have been hacking away at plugins for a few weeks now, and have to say, it's pretty easy to develop for.
It as a fairly clean structure, and while it's not perfect, it's pretty good.

So keep up the good work.

370

21.7 Legacy Series / Re: IPv6 Track Interface with preferred interface suffix?

« on: October 23, 2021, 04:17:50 pm »

I don't think so. There is a whole set of feature requests about static suffixes with dynamic prefixes, firewall rules with dynamic prefixes and NPT with dynamic prefixes, but none of that yet exists.

I'd recommend using static ULA addresses or link-local addresses via alias or CARP, if that is possible in your case.

371

20.7 Legacy Series / Re: [Partly solved] WireGuard with virtual IP

« on: October 18, 2021, 10:50:44 am »

But you can install it on opnsense, and if you do, it seems to work.

372

21.7 Legacy Series / Re: Possible bug in Zerotier in HA configuration

« on: October 17, 2021, 06:01:56 pm »

I don't think that HA does anything with zerotier, you have to treat both firewalls as standalone for that.

373

21.7 Legacy Series / Re: HA cluster, IPv6 CARP and router advertisements - best practice?

« on: October 16, 2021, 02:50:39 pm »

Hi all,

I have a pair of OPNsense firewalls and we are dual-stack throughout the entire data center. For IPv6 everything is routed, no NAT taking place. The DMZ depicted in the network overview has got a single "permit anything out" rule. From outside to the DMZ certain selected services to certain hosts are permitted, but as I said no NAT, port forwarding, just firewall rules.

Code: [Select]

                     +--------------------------------------------------------------+                       
                     |                                                              |                       
                     |                            Uplink                            |                       
                     |                                                              |                       
                     +--------^--------------------------------------------^--------+                       
                              |                                            |                               
                              |                                            |                               
                              |                                            |                               
                              |                                            |                               
                     +-----------------+                          +-----------------+                       
                     |                 |       HA-Interface       |                 |                       
                     |   OPNsense 1    |--------------------------|   OPNsense 2    |                       
                     |                 |                          |                 |                       
                     +-----------------+                          +-----------------+                       
                              |                                            |                               
                              |                    CARP                    |                               
 2a00:b580:a000:4000::252/64  +-------> 2a00:b580:a000:4000::254/64 <------+   2a00:b580:a000:4000::253/64 
 fe80::f690:eaff:fe00:6501/64 |                      |                     |   fe80::f690:eaff:fe00:6507/64
                              |                      |                     |                               
                              |                      |                     |                               
            #-----------------v----------------------v---------------------v-------------------#           
                                        DMZ 2a00:b580:a000:4000::/64                                       
We use SLAAC for host configuration in the DMZ and I configured radvd as pictured in the screenshot. What I would have expected as a result is that the CARP address is announced as the default router.

What happens instead is that the link-local address of the interface is announced. OK, this makes perfect sense in a single unit setup. But in our case both the active and the backup node announce their respective link-local addresses.

This leads to intermittent drops of TCP connections and possibly other problems which we have not yet clearly identified if a client with two default routes decides to switch the gateways in the middle of a long lived connection.

Questions:

• Why isn't the global unicast CARP address announced instead if the link local ones?
• Even with link-local, shouldn't pfSync take care of keeping the state tables in sync so it should not happen that a packet hits the "default deny" rule?
• When I manually disable radvd on the backup, things work reliably - shouldn't the HA mechanism take care of toggling the service on/off depending on the role of the node?
• Related but different topic: what happens when I enable dhcpd in a HA setup? Shouldn't the HA mechanism disable the backup?
• What's considered the best practice in this scenario?

DHCPv6 isn't of any use here, because it doesn't send a default gateway to the client systems. This is only sent via RA. I could configure all host statically in the DMZ, but once we get to the LAN, which at the moment uses SLAAC, too - because "what else" - that is out of the question. Too many devices coming and going.

Workaround: exempt "DHCPv6" from HA sync and disable RA on the backup node. But that means in case of a failover a manual intervention is necessary to get IPv6 working again.

So ... is there a solution?

Kind regards,
Patrick

I just found out: https://github.com/opnsense/core/pull/5185 should be exactly what you need, combined with a link-local CARP address. As far as I know, you can not use a GUA as next-hop.

374

21.7 Legacy Series / Re: HA cluster, IPv6 CARP and router advertisements - best practice?

« on: October 16, 2021, 02:19:09 pm »

I have another interesting link for that: https://datatracker.ietf.org/doc/html/rfc7157 "IPv6 Multihoming without Network Address Translation"

It talks about many of the same problems, namely gateway selection and source address selection. Sadly, not a lot of solutions.

375

21.7 Legacy Series / Re: HA cluster, IPv6 CARP and router advertisements - best practice?

« on: October 15, 2021, 07:52:06 pm »

I've been trying to do this right with multiple firewalls for the last 10 years now, but it never quite works the way it should. With opnsense I've come the closest so far.

I hope we're thinking about it the right way, if there even is such a thing, and don't want the wrong features we don't even know yet we don't need because there's a better way to do it, if that makes any sense.